Drawing from her experience in military intelligence, a US intelligence agency, and now private sector compliance and cybersecurity consulting, Jenna Waters weighs in on what the SolarWinds attack means for the future of both public and private cyber warfare.
The recent SolarWinds and Hafnium attacks seem to have opened the eyes of many business leaders in corporate America to the true potential impact of cyber attacks, crossing public and private boundaries alike. Historically, many corporations have viewed their internal cybersecurity needs as just another part of the competitive landscape – everyone for themselves, so to speak. Federal roles have been confined to issuing public warnings and performing a post-attack investigation of criminal implications, and private roles have been confined to internal remediation. That thinking is based on an old-world model where each player in the commerce game does its own thing, the government does its own thing, and collaboration is rare. Even with better threat intelligence sharing in place, the kinds of public-private partnerships necessary to win this war are still not in place.
Recent attack trends prove that this age is long-gone, however, and it’s time to reevaluate how we define the US cyber ecosystem. More importantly, how can we all quit playing against or even alongside each other, and begin to see ourselves as active members of the same team?
The Attack Methodology
What we currently know about this particular attack is that hackers infiltrated SolarWinds servers and were able to covertly insert their own malware into software updates. They then verified, digitally signed, and distributed those updates to unwitting customers. Since it came from a trusted source, those customers downloaded the update, trusting in its veracity and unaware of any problem. It should be noted here that this tactic is especially clever on the part of attackers, because installing updates is among the most important best practices IT teams undertake to manage vulnerabilities and protect themselves from exploit. So, the very action they were taking to mitigate risk became the attack vector through with criminals delivered a malicious payload.
Scope and Lack of Recourse for Victims
We know that at least 300,000 customers use this platform, and a minimum of 18,000 have been seriously affected after unknowingly incorporating and executing the malware into their own systems. (If I were a betting person, I’d say that number is likely much higher.) Those affected customers include The State Department, the Department of Homeland Security, parts of the Pentagon, federal agencies, nuclear labs, and Fortune 500 companies. What we can conclude from this is that at the very least, vastly different stakeholders across separate industries– each with their own internal organizational structures, share common enemies and are falling victim to not just the same attack types, but the very same attacks, levied by the very same attackers. If history has taught us anything, it’s that humans must band together if they want to successfully fight off a common enemy. However, where and how does one prove attribution and lay blame? Then, what can anyone do about it once they have identified the perpetrator? As of right now, collective thought is that this was most likely a Russian state actor, leaving victims essentially powerless.
Building a Collective Framework With Teeth
What is clear at this point is that more legal, structural, and technical standards– even if only expositional to current best practices and legal precedents– could help clarify precisely which core values should be reinforced in the cybersecurity community. However, it cannot be a generalized, wishy-washy approach that is pre-gutted by incomplete legal definitions and broad descriptions of hopeful technical suggestions that equate to hopes and prayers. Rather it must enable a strong, robust response to actively counter and discourage malicious cyber actions, especially when it’s an attack of this magnitude. Unfortunately, while the US and international governments have verbally condemned the SolarWinds attack, as well as its predecessors (see the Ukraine power grid hack in 2015), we have not seen the collective and collaborative action in partnership with the private sector that is desperately needed for cybersecurity defenses to truly succeed. The two MUST work together. We need the capability to follow through and punish those who violate sovereign cyberspace and proprietary systems – particularly when the consequences are this extreme and so many are affected by a single attack.
First Steps to Get Us There
Obviously, every organization who cares about business continuity and securing their environment needs a robust security program, but this doesn’t accomplish the collaborative piece needed to address kinds of significant threats we are seeing today. What we need is to begin working together. Experts at the highest level in cybersecurity have been calling for collaboration for some time, recognizing that without such an approach, individual organizations and agencies are basically sitting ducks. In response to this call, groups like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) have popped up across the US, helping foster information sharing between cybersecurity professionals. These are designed to be neutral spaces where people can set aside the competitive landscape and fear of exposure due to certain threats they are seeing, and simply share information, tactics, and discoveries that will help others identify and mitigate similar threats or attack patterns. Quite often, these groups also enlist the help of experts from universities, current or past government posts, and private cybersecurity service providers. TRUE experts participate in several regional ISAOs and ISACs, contributing industry knowledge, first-hand experiences, and expertise directly from the field. The more these communities grow, the stronger our networks will become in their ability to not only help strengthen one another, but to inform and support broader accountability measures.
Where We Have to End Up
At the end of the day, the way to dissuade attackers whether they are disassociated groups or sanctioned nation-state actors– is through collective action. Both internationally and domestically, across private and public sectors, collective action can impose consequences and establish customary and enforceable domestic and international law that has the ability to remove hiding places and the “wild west” environment for cyber criminals. I believe that if we are going to prevent the next cyber “conflict” from spiraling out of control into genuine cyberwarfare, international and domestic action are urgently and critically imperative.
If you would like to talk with someone about your organization’s potential risk or how to better protect yourself against cyber attacks, you can request a consultation with one of our TRUE professionals.